Industrial Strength Refinement Checking Jesse Bingham, John - - PowerPoint PPT Presentation

1

Industrial Strength Refinement Checking

Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen Intel IAG FMCAD 2009

2

Introduction

 Standard approach to FV of HW protocols

 Develop high level model (HLM) in guarded-command-

like language (eg Murphi, TLA, Spin etc)

 Write invariants, e.g. cache coherence  Model check as big as you can

 So the HLM is golden, but what about the

implementation (RTL)?

 Ideal: prove that RTL implements HLM… hard!  Our solution: test that RTL implements HLM during

dynamic simulation

 check == test in this talk/paper

3

Key point #1

The ingredients needed for equivalence testing are also needed to prove implementation. ⇒ might as well start with testing

4

What should Implements Mean?

 What does it mean for RTL to implement HLM? They

have different

 execution semantics  state variables/representations  rule atomicity (HLM has more)  rule concurrency (RTL has more)

 Not always clear [Vardi FMCAD09]  For our domain, we found a notion we call behavioral

refinement appropriate…

 Similar to notion of Bluespec and also super-scalar

processor verification literature

5

RTL Behavior (i.e. simulation)

…

• ne RTL clock cycle

reset state

Behavioral Refinement

6

Murphi Behavior RTL Behavior

…

• ne RTL clock cycle

…

reset state initial state a rule fires

RTL Behavior (i.e. simulation) Murphi Behavior (witness)

Behavioral Refinement

7

Murphi Behavior RTL Behavior

…

• ne RTL clock cycle

…

reset state initial state Refinement map a rule fires

RTL Behavior (i.e. simulation) Murphi Behavior (witness)

Behavioral Refinement

8

Murphi Behavior (witness) RTL Behavior

…

• ne RTL clock cycle

…

reset state initial state Refinement map Each RTL clock cycle corresponds to zero or more rules firing a rule fires

RTL Behavior (i.e. simulation)

Behavioral Refinement

9

How Refinement Checker Works

Idea: at each RTL cycle, select what sequence of rules are about to fire

RTL simulation r

…

10

How Refinement Checker Works

Idea: at each RTL cycle, select what sequence of rules are about to fire

Murphi RTL simulation r RM(r)

… …

11

How Refinement Checker Works

Idea: at each RTL cycle, select what sequence of rules are about to fire

Murphi RTL simulation

…

r RM(r) Next

… …

Rule selection

12

Murphi RTL simulation

How Refinement Checker Works

…

r RM(r) r′ RM(r′ )

=?

Next

… …

Rule selection

Idea: at each RTL cycle, select what sequence of rules are about to fire

13

Cache Controller Main Memory CPU

Example: Toy Cache Controller

14

… … …

State

CacheArray

Cpu2Cache Cache2Mem Invalid Dirty Clean 0xC54 0x6D7 0x01 0x823E Addr Data

Toy Cache in Murphi

15

Ruleset i : CacheIndex “Evict" CacheArray[i].State != Invalid ==> if (CacheArray[i].State == Dirty) begin Cache2Mem.opcode := WriteBack; Cache2Mem.Addr = CacheArray[i].Addr; Cache2Mem.Data = CacheArray[i].Data; end; CacheArray[i].State := Invalid; end

Eviction

16

Ruleset i : CacheIndex “Recv_Store" Cpu2Cache.opcode = Store & ( ( CacheArray[i].State != Invalid & CacheArray[i].Addr = Cpu2Cache.Addr) | ( addr_misses_in_cache(Cpu2Cache.Addr) & CacheArray[i].State = Invalid ) ) ) ==> CacheArray[i].Data := Cpu2Cache.Data; CacheArray[i].State := Dirty; Absorb(Cpu2Cache); end

Receiving a Store Request

17

Cache Controller RTL

Cache State & Addr Array

Eviction Logic

Hit? Pipe stage 1 Pipe stage 2 Cache Data Array Cpu2Cache Cpu2Mem

18 Cache State & Addr Array

Eviction Logic

Hit? Pipe stage 1 Pipe stage 2

Store(A0,D0)

Cache Data Array

Dirty,A1 Store(A0,D0) Store(A0,D0) WriteBack(A1,D1) D1 Dirty,A0 D0 WriteBack(A1,D1) Store Evict

Example RTL Behavior

19

Pipelining causes rules that are atomic in Murphi to be non-atomic in the RTL… This non-atomicity is resolved by the refinement map & history variables

Key point #2

20

Murphi semantics fire one rule at a time, while RTL has true rule concurrency. This is resolved by rule selection, which picks a sequence of Murphi rules to fire @ each RTL clock cycle

Key point #3

21

Example with Refinement Checker

Cache State & Addr Array Pipe stage 1 Pipe stage 2

Store(A0,D0)

Cache Data Array

Dirty,A1 Store(A0,D0) Store(A0,D0) WriteBack(A1,D1) D1 Dirty,A0 D0 WriteBack(A1,D1)

HLM RTL

Evict RecvStore

22

BTW: Everything’s System Verilog

RTL design under verification Test stimulus Refinement Map Rule Selection High Level Model

in consultation with Architects compiled into SV by a tool mu2sv

HW designers HW validators Us (FV team) Paper gives disciplined approach to writing SV code for these buggers

⇒ any off-the-shelf SV simulator works

23

mu2sv

 Translates a Murphi model into SV  Typedefs, procedures, functions, procedures,

invariants

 State variables get wrapped in a record type called

MURPHI_STATE

 Murphi rule R becomes SV function

function MURPHI_STATE R_sv(MURPHI_STATE ms,...);

 Errors if invoked when R’s guard is false in ms

 Rule coverage logging

 Valuable feedback for test-writers

24

Inspiration

• S. Tasiran, Y. Yu, and B. Batson, Linking

simulation with formal verification at a higher

• level. IEEE DToC, 2004.
• Used TLA+ & linked TLC model checker to simulation

engine

• Done as research after the project was complete
• Showed that subtle bug would have been caught

25

Application: Hierarchical Cache Protocol

Core cache Core cache Core cache Level1 Protocol Manager QPI Home Agent Core cache Core cache Core cache

• 3 person months to

develop

• Caught 8 bugs during

just 1 month of deployment!

• Was not deployed due

to chip cancellation ;-(

• Could allow up to 8

murphi rules to fire per RTL clock

Level1 Protocol Manager